Presentation is loading. Please wait.

Presentation is loading. Please wait.

Www.egi.eu EGI-InSPIRE RI-261323 EGI (IGTF Liaison Function) www.egi.eu EGI-InSPIRE RI-261323 IGTF & EUGridPMA status update SHA-2 – and more (David Groep,

Published byLorin Chandler Modified over 8 years ago

Similar presentations

Presentation on theme: "Www.egi.eu EGI-InSPIRE RI-261323 EGI (IGTF Liaison Function) www.egi.eu EGI-InSPIRE RI-261323 IGTF & EUGridPMA status update SHA-2 – and more (David Groep,"— Presentation transcript:

1 www.egi.eu EGI-InSPIRE RI-261323 EGI (IGTF Liaison Function) www.egi.eu EGI-InSPIRE RI-261323 IGTF & EUGridPMA status update SHA-2 – and more (David Groep, Nikhef) David Groep, Nikhef and NL-NGI for EGI global task O-E-15 This work is supported by EGI-InSPIRE under NA2 and SA1.2 davidg@nikhef.nl, orcid.org/0000-0003-1026-6606

2 www.egi.eu EGI-InSPIRE RI-261323 IGTF developments From Recent IGTF meetings Slightly revised SHA-2 time line IOTA Authentication Profile: what do you, the Relying Parties, actually need? Credential Repositories Link to complete list of topics and discussions https://www.eugridpma.org/meetings/2013-09/ EUGridPMA for EGI-TF13 2013-09-18 2

3 www.egi.eu EGI-InSPIRE RI-261323 SHA-2 time line agreed Now –CA certificates in IGTF distribution & CRLs at official distribution points should use SHA-1 –CAs should issue SHA-1 end entity certificates by default –CAs may issue SHA-2 (SHA-256 or SHA-512) end entity certificates on request. CAs may publish SHA-2 (SHA-256 or SHA-512) CRLs at alternate distribution point URLs 1 st December 2013 1 st October 2013 –CAs should begin to phase out issuance of SHA-1 end entity certificates –CAs should issue SHA-2 (SHA-256 or SHA-512) end entity certificates by default –Some Cas will defer transition till after New Year for helpdesk/support issues 1 st April 2014 –New CA certificates should use SHA-2 (SHA-512) –Existing intermediate CA certificates should be re-issued using SHA-2 (SHA-512) –Existing root CA certificates may continue to use SHA-1 1 st October 2014 –CAs may begin to publish SHA-2 (SHA-256 or SHA-512) CRLs at their official distribution points. 1 st February 2015 (‘sunset date’) –All issued SHA-1 end entity certificates should (not: must!) be expired or revoked. In case of new SHA-1 vulnerabilities, the above schedule may be revised. EUGridPMA for EGI-TF13 2013-09-18 3

4 www.egi.eu EGI-InSPIRE RI-261323 SHA-2 readiness Introduction of SHA-2 will be gradual Newly issued certificates will be mostly SHA-2 –Takes up to 13 months to roll over –Some subscribers will continue to request SHA-1 for a while Some CAs are SHA-2 capable, but their migration time line is not driven solely by us (i.e. some commercials) –Their time line is driven by the largest customer base –All can do SHA-2 already – some do on request (since non-grid customers do request SHA-2-only PKIs) –it is because of these that RPs have to be ready, because when directives come from CABForum they will change, and do it quite irrespective of our time table! EUGridPMA for EGI-TF13 2013-09-18 4

5 www.egi.eu EGI-InSPIRE RI-261323 EGI (IGTF Liaison Function) www.egi.eu EGI-InSPIRE RI-261323 Differentiated Assurance IOTA Authentication Profile

6 www.egi.eu EGI-InSPIRE RI-261323 IOTA profile New IGTF Authentication Profile IOTA: Identifier-Only Trust Assurance with Secured Infrastructure Lower level of assurance in Identity Vetting –Compensated by more ID vetting by VO or RP Questionnaire has been produced –To gather stakeholder requirements See AAI session that happened here at the EGI TF on Tuesday morning at 11:00 CEST. EUGridPMA for EGI-TF13 2013-09-18 6

7 www.egi.eu EGI-InSPIRE RI-261323 Moving the bar towards differentiated assurance http://wiki.eugridpma.org/Main/IOTASecuredInfraAP IOTA AP assurance level is different, and rest must be taken up by somebody else Consider questions about –Real names and pseudonyms –Enrolling users in a community –Keeping audit records in the VO –Auditability and tracing –Incident response See session on Identity Management! 2013-09-18 EUGridPMA for EGI-TF13 Identity elements identifier management re-binding and revocation binding to entities traceability of entities emergency communications regular communications ‘rich’ attribute assertions correlating identifiers access control 7

8 www.egi.eu EGI-InSPIRE RI-261323 EGI (IGTF Liaison Function) www.egi.eu EGI-InSPIRE RI-261323 Credential Repositories

9 www.egi.eu EGI-InSPIRE RI-261323 Credential Repository plug Did you know … –… that the IGTF Private Key Protection guidelines allow for institutional and national credential repositories, to manage user keys? http://www.eugridpma.info/guidelines/pkp/ –… the Credential Store Operations Guidelines gives best current practice for running a trusted store? http://www.eugridpma.info/guidelines/trustedstores/ –… software to build (federated) credential repos is there, such as MyProxy? –… there are easy ways to get (PKI) certificates through on- line CAs or the TERENA TCS in many countries? EUGridPMA for EGI-TF13 2013-09-18 9

10 www.egi.eu EGI-InSPIRE RI-261323 Summary Review detailed summary at https://www.eugridpma.org/meetings/2013-09/ Questions? EUGridPMA for EGI-TF13 2013-09-18 10

Download ppt "Www.egi.eu EGI-InSPIRE RI-261323 EGI (IGTF Liaison Function) www.egi.eu EGI-InSPIRE RI-261323 IGTF & EUGridPMA status update SHA-2 – and more (David Groep,"

Similar presentations

Usage of PGP in TACAR 19th OGF Meeting Chapel Hill, USA February 1, 2007 Licia Florio Project Development Officer

Usage of PGP in TACAR 19th OGF Meeting Chapel Hill, USA February 1, 2007 Licia Florio Project Development Officer
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Apr 20 th, 2009.

Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Apr 20 th, 2009.
1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based.

1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based.
Www.egi.eu EGI-InSPIRE RI-261323 EGI (IGTF Liaison Function) www.egi.eu EGI-InSPIRE RI-261323 The IGTF IOTA Profile towards differentiated assurance levels.

EGI-InSPIRE RI EGI (IGTF Liaison Function) EGI-InSPIRE RI The IGTF IOTA Profile towards differentiated assurance levels.
David Groep Nikhef Amsterdam PDP & Grid Evolving Assurance – IGTF LoA generalisation David Groep Interoperable Global Trust Federation IGTF Documents at.

David Groep Nikhef Amsterdam PDP & Grid Evolving Assurance – IGTF LoA generalisation David Groep Interoperable Global Trust Federation IGTF Documents at.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 EGI - Identity Management Steven Newhouse Director, EGI.eu Federated Identity.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI - Identity Management Steven Newhouse Director, EGI.eu Federated Identity.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org JRA3 2 nd EU Review Input David Groep NIKHEF.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
National Center for Supercomputing Applications PKI and CKM ® Scaling Study NCASSR Kick-off Meeting June 11-12, 2003 Jim Basney

National Center for Supercomputing Applications PKI and CKM ® Scaling Study NCASSR Kick-off Meeting June 11-12, 2003 Jim Basney
NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam 2005-10-17 Milan Sova CESNET.

NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam Milan Sova CESNET.
Authentication Policy David Kelsey CCLRC/RAL 15 April 2004, Dublin

Authentication Policy David Kelsey CCLRC/RAL 15 April 2004, Dublin
David Groep Nikhef Amsterdam PDP & Grid Differentiated and Collaborative Assurance profiling the identity management landscape for diversifying e-Infrastructure.

David Groep Nikhef Amsterdam PDP & Grid Differentiated and Collaborative Assurance profiling the identity management landscape for diversifying e-Infrastructure.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 Unified Middleware Distribution (UMD): SW provisioning to EGI Mario David.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Unified Middleware Distribution (UMD): SW provisioning to EGI Mario David.
IOTA Questions for RPs Sept 9, 2013 Bucharest, Romania.

IOTA Questions for RPs Sept 9, 2013 Bucharest, Romania.
LiveAP Towards Differentiated Identity Assurance David Groep, Nikhef supported by the Netherlands e-Infrastructure SURFsara, and EGI.eu O-E-15 and EGI-InSPIRE.

LiveAP Towards Differentiated Identity Assurance David Groep, Nikhef supported by the Netherlands e-Infrastructure SURFsara, and EGI.eu O-E-15 and EGI-InSPIRE.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.
Security Update WLCG GDB CERN, 12 June 2013 David Kelsey STFC/RAL.

Security Update WLCG GDB CERN, 12 June 2013 David Kelsey STFC/RAL.

Similar presentations

Ads by Google